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ABSTRACT 

We introduce a new construction of error-correcting codes 
from algebraic curves over finite fields. Modular curves of 
genus g — > oo over a field of size go yield nonlinear codes 
more efficient than the linear Goppa codes obtained from 
the same curves. These new codes now have the highest 
asymptotic transmission rates known for certain ranges of 
alphabet size and error rate. Both the theory and possible 
practical use of these new record codes require the develop- 
ment of new tools. On the theoretical side, establishing the 
transmission rate depends on an error estimate for a theo- 
rem of Schanuel applied to the function field of an asymp- 
totically optimal curve. On the computational side, actual 
use of the codes will hinge on the solution of new problems 
in the computational algebraic geometry of curves. 

1. PROLOGUE 

In this section we first review the construction and prop- 
erties of Goppa codes, to put our work in its context. We 
then define our new nonlinear codes and give lower bounds 
on their minimal distance. We conclude this section by stat- 
ing lower bounds on the size of our codes and comparing our 
codes' parameters with those of Goppa codes. In the next 
section we prove the bounds claimed in the Introduction. In 
the final section we discuss theoretical and computational 
questions raised by our construction, and show how to solve 
these problems for the nonlinear codes obtained from ratio- 
nal curves. 

1.1 Review: algebro- geometric (Goppa) codes 

Fix a finite field k of q = p a elements. Let C be a projective, 
smooth, irreducible algebraic curve of genus g defined over k, 
with N rational points. To any divisor D on C of degree 
< N, Goppa (||, see also |]lq| ) regards the space of sections 
of I) as a linear [N, r, d] code with alphabet k, for some 
d ^ iV — deg(D) (because a nonzero section of D has at most 
deg(D) zeros) and deg(D) — g + 1 (by the Riemann-Roch 
theorem). Thus the transmission rate R — r/N and the 



error-detection rate 5 = d/N of Goppa's codes are related 
by 



R + 8>l-± 



(1) 



This lower bound improves as N/g increases. How large can 
N/g get as g — > oo? An upper bound is 

N< (g 1/2 -l + (l)).g (2) 

(Drinfeld-Vladut §). We say a curve of genus g — > oo is 
"asymptotically optimal" if it has at least (q 1 ^ 2 — I — o(l)) 9 
rational points over k. If a is even, i.e., if q := ^fq is an 
integer, then modular curves of various flavors — classical 
(elliptic), Shimura, or Drinfeld — attain 



N> (g - 1)(S - 1) = (q 1/2 - 1 - o(l)) 9 



(3) 



Jll| , p^t , and are thus asymptotically optimal. Therefore if 
g = g there exist arbitrarily long linear codes over k with 



R+5 > 1 



9o - 1 



o(l) 



(4) 



and this is the best that can be obtained from (|l|). Once 
g ^ 7, these codes improve on the Gilbert-Varshamov bound 
for suitable R, S. 

Actual construction of these codes requires explicit equa- 
tions for C. The definitions of modular curves do not readily 
yield useful equations, but in recent years many families of 
modular curves have been given by O(loggr) explicit equa- 
tions in 0(logg) variables, each equation of degree 0(log<?). 
See Q| for classical and Shimura curves, Q for further Shi- 
mura curves, and J|, ^, for Drinfeld modular curves.^] 
Using the resulting codes for error-resistant communication 
also requires polynomial-time decoding of any word at dis- 
tance < d/2 from a codeword; this and more has also been 
recently accomplished [ ^o| [l5| . 

1.2 The new nonlinear codes 

The Goppa codes generalize the Reed- Solomon codes, which 
are the special case where C is a projective line P 1 (so 
g = 0). In this special case, the Goppa code can be identi- 
fied with the space of polynomials of degree at most deg(D) 
in one variable, interpreted as words by evaluation at each 
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1 Actually the equations in |16| are in two variables but of 
degree exponential in log g\ Dut they are easily put in an 
equivalent form of degree 0(log<;) by introducing 0(log<7) 
more variables. 



element of fcj^j Our new idea is to replace these polynomials 
by rational functions of bounded degree, say degree ^ ft. 
Since a rational function of degree ^ ft is determined by 
two polynomials of degree ^ ft, we expect that ft will play 
a role comparable to half the degree of the divisor D used 
to construct a Goppa code. The notions of a rational func- 
tion and its degree extend to curves C of arbitrary genus. 
Given C with N rational points, we thus define Co(h) for 
any ft < N/2 as follows: Co{h) consists of the rational func- 
tions / on C, defined over k, such that deg(/) ^ ft. To give 
Co{h) the structure of an error-correcting code, choose an 
enumeration (Pi, . . . , Pjv) of the fc-rational points of C, and 
identify / with the iV-tuple 



(/(Pl),/(P 2 ),... ,/(Pv)) 



(5) 



of values of / at points of C. Since / may have poles on 
some Pi, some /(Pj) values may be oo. Thus the alphabet 
for our new code Co(h) is not a finite field but a set of size 
q + 1, the projective line k U {00} = P 1 (k) over the finite 
field k. In other words, we are identifying a function / with 
its graph as a map from C to P 1 (fc), just as a polynomial 
in the Reed-Solomon code was identified with its graph as a 
map from k to k. It is readily seen (Prop. ^] below) that if 
fi , fi are distinct rational functions of degrees fti , on C 
then /1 (P) = /2 (P) holds for at most hi + /12 points P of C. 
Therefore Co (ft) has minimal distance at least N — 2ft. In 
particular, since we assume ft < N/2, different functions of 
degree ^ ft yield different words in Co (ft). 

More generally, let D be a divisor of degree zero on C. For 
each ft < N/2 we define Co(ft) to be the set of rational 
sections of degree ^ ft of the line bundle Ld associated to D. 
That is, Co(ft) consists of the zero function together with 
the nonzero rational functions / on C whose divisor (/) is 
of the form E — D for some divisor E whose positive and 
negative parts each have degree at most ft. To give Co(ft) 
the structure of an error-correcting code, choose for each k- 
rational point Pi of C a rational function (p.; whose divisor 
has the same order at Pi as D, and identify each Co (ft) with 
the iV-tuple 

((^i/)(Pi), te/)(P 2 ), . . . , {<p N f)(P")) G (P'W)" (6) 

Different choices of tp t yield isomorphic codes (Lemma |l| 
below). In particular, if D = we recover our earlier def- 
inition of Co (ft) by setting each ip t = 1. We shall see in 
Prop, [l] that here, too, any two distinct rational sections of 
degrees hi, ft-2 agree on at most fti + ft,2 points, so Co (ft) has 
minimal distance at least N — 2ft, and / can be recovered 
uniquely from the iV-tuple (|^). Linearly equivalent divisors 
yield isomorphic codes (Lemma ^), so D can be regarded as 
a degree-zero divisor modulo linear equivalence, i.e., as an 
element of the Jacobian Jc of C. 

1.3 Size of the codes; comparison with Goppa 

Let M(ft, C) be the average size of Co (ft) as D varies over Jc- 

1 



M(h,C) 



#(•/< 



c 



(7) 



D&.J C 



2 More precisely, the Goppa codes for g = are extended 
Reed-Solomon codes of length q+1, with one coordinate 
for each element of k, and an additional coordinate for the 
leading coefficient, corresponding to evaluation at the point 
at infinity of P 1 . 



We shall show (Thm. [j]) that if C is an asymptotically opti- 
mal curve then, for each 



P> 



2<Z 



q 2 - 1' 



(8) 



the estimate 



M(h,C)=(l—±) q 2h - g (9) 



holds as long as 2h/N > p. The threshold (g) is low enough 
to allow all ratios ft/TV for which the estimate Q exceeds 1. 
In particular, if 2ft ^ g, our codes have on average 



((« + !)/«) 



JV+o(JV) 



(10) 



times as many words as the Goppa codes of the same length 
and designed minimal distance must have by Riemann-Roch. 
With a somewhat longer argument we show (Thm. ^) that 
the same estimate holds for each individual Co(h), but with 
a higher threshold p\ (q) defined below (equations |73tf 



We cannot simply conclude that our codes transmit asymp- 
totically log((q + l)/q) more bits per letter than Goppa's, 
because our alphabet size is larger by 1 than that of the 
Goppa codes. A direct comparison would require Goppa 
codes over a field of q + 1 elements. But it is rare that q and 
q + 1 are both prime powers (one of them must be a power 
of 2, the other a Mersenne or Fermat prime); and they can 
never both be squares. Nevertheless we claim that a fair 
comparison can be made, and shows our codes to be better 
in a range of parameters that includes all the Goppa codes 
that improve on Gilbert-Varshamov. 

We base this claim on two observations. First, if a code 
over an alphabet of q + 1 letters is as good as a Goppa 
code, its parameters should obey the relation obtained by 
extrapolating (W) to an alphabet of size q + 1, that is, 



R + 8 > 1 



Vq + 1-1 

By (H), our codes' parameters satisfy 



o(l). 



(11) 



log(g + 1) 



R+S > 1- 



1 



log 



q + 1 
<3 



log q q - 1 

This improves on (|ll| ) as long as 



logg 



-o(l). (12) 



1 - R > 



/q+I-l 



+ 0(q~ 



log(2±i)/logg 



lop 



(13) 



This condition holds for all (R, 5) for which ( |ll| ) is better 
than the Gilbert-Varshamov bound. 

For a second approach, instead of extrapolating Goppa codes 
to alphabets of size q+1, we degrade our codes by artificially 
reducing the alphabet size to q. To do this, we choose for 
each i = 1, . . . ,N a forbidden letter 04 G P 1 (fc), and con- 
sider only words w £ Co (ft) such that w% 7^ a,i for every i. If 
the Oi are chosen independently at random from P 1 (k), the 
expected number of such words w is (g/(g+l)) • #(Co(ft)). 
These words constitute a code of length N and minimal dis- 
tance ^ iV — 2ft over an alphabet of size q. But by ([]) the 
size of this code is within a subexponential factor exp(o(iV)) 
of q 2h ~ 3 , the Riemann-Roch lower bound on the number 



of words in the Goppa code with the same alphabet size, 
length, and designed distance! Since an average degrada- 
tion of Co(ft) is thus asymptotically as good as a Goppa 
code, we may justifiably claim that Co(ft) itself is better 
than Goppa. 

2. PROOFS 

We establish the lower bound TV— 2ft on the minimal distance 
of Co(ft), the independence of Co(ft) of the choice of ipi, 
and the isomorphism Cn(h) = Co'ih) when the degree-zero 
divisors D,D' are linearly equivalent. We then prove the 
asymptotic formula for M(ft, C), and indicate how to 
modify our analysis to estimate the size of individual codes 
C D (h). 

2.1 The distance bound 

Proposition 1. Let D be a divisor of degree on a curve 
C over k, and suppose /i,/a are distinct sections of Ld of 
degrees h\,h 2 . Then the words associated to f\ , f 2 by ^) 
agree on at most hi + h 2 coordinates. In particular, Cr>(h) 
has minimal distance at least N — 2ft. 



Proof. We may assume that the fj are nonzero. Let 
E 1 ,E 2 be the divisors (/1) + D, (/ 2 ) + D. These Ej are 
degree-0 divisors whose positive and negative parts Ej~ ,EJ 
each have degree hj. Set / = /1 — fa, a nonzero rational 
function on C. If /1 , f 2 agree on the i-th coordinate then Pi 
is either a pole of both tp i f x and ip t f 2 or a zero of ip t f. Let 

S~{i:l^i^N, ( V > i f 1 )(Pi) = (<p i f2)(Pi)=°°}, (14) 

and m — #(S). Then the negative part of the degree-zero di- 
visor D + (f) is bounded above by Ej +E2 — J^iesi^)^ anc ^ 
thus has degree at most fti + h 2 — m. Thus the positive part 
of D + (/) also has degree at most fti + h 2 — m. Hence there 
are at most hi + h 2 — m choices of i for which {tp t f) (Pi) = 0. 
Since there are m common poles, we deduce that the words 
associated to fi,f 2 have at most (hi+h 2 —m) + m — hi + h 2 
common coordinates, as claimed. □ 

2.2 Easy isomorphisms 

Lemma 1. All choices of tp t in yield equivalent codes. 

Proof. Let tpi be any other choice, and set 0% = tpi/ipi. 
Then 6i is a rational function on C with neither pole nor zero 
at Pi. Thus using tpi instead of ipi in (0) multiplies the i-th 
coordinate of every word by the nonzero scalar 9i(Pi), for 
each i. Since each coordinate is changed by a permutation 
of the alphabet k U {00}, an equivalent code results. □ 



Lemma 2. IfD,D' are linearly equivalent divisors of de- 
gree then the codes Co (ft), Cr>'{h) are isomorphic. 

Proof. Let D' — D be the divisor of the function g. Then 
/ is a rational section of degree ^ ft of D' if and only if fg is 
a rational section of degree ^ ft of D. This identifies C_o(ft) 
and Crj'(h) as sets. Having chosen ip i for D, we may choose 
ip'i := gifi for D' . Then (pi) gives the same coordinates 
for / as an element of Cr)i(h) that fg has as an element of 
C_o(ft). This identifies Cij(ft) and Cr>'(h) as error-correcting 
codes. □ 



Some remarks on automorphisms: for nonzero 8 g k we 
have an isomorphism f *—> Of from Co(ft) to itself. Thus 
the multiplicative group k* acts on Cu(ft). For general 
C, D, ft we expect that this is the full automorphism group 
of Cn(h). By comparison, the Goppa codes, being linear, 
have many more automorphisms: translation by any code- 
word, as well as scalar multiplication. Like the Goppa codes, 
our Cd (ft) can inherit more symmetries from automorphisms 
of C and/or k. Thus if C has an automorphism taking D to 
a divisor linearly equivalent to D then Co(ft) inherits this 
automorphism by Lemma ^. In particular, every automor- 
phism of C acts in Co (ft). Likewise, if C, D can be defined 
over a subfield ko of k then Gal(fc/fco) acts on Co(ft). Fi- 
nally, Co (ft) also has automorphisms by the group PGL2(fc), 
which acts on P 1 (k) by fractional linear transformations. In- 
deed, each 7 G PGL2(fc) yields the automorphism / t— > 70/ 
of Co (ft). These automorphisms have no Goppa-code ana- 
logue. 

2.3 The average size M(h, C) of C D {h) 

This requires more work. For instance, the functions in 
Co (ft) can be regarded the elements of height ^ ft of the 
function field k(C). By a function-field analogue of a the- 
orem of Schanuel |13|. announced by Serre |14, p. 19] and 
proved by DiPippo [pi and Wan |Q (independently but in 
the same way), for any genus-g curve C over k the number 
of such elements is asymptotic to 



2ft. + 1-9 



M2) 



(15) 



as ft — > 00, where Lc is the //-function of the curve (defined 
below). We shall see later that 



Mi) 

M2) 



= ((*+!)/«) 



N+o(N) 



(16) 



if C is an asymptotically optimal curve. The same formula 
can be obtained for the number of rational sections of Ld of 
degree at most ft. But we need formulas valid not for ft — *• 00 
but for ft < N/2, and this requires explicit and sufficiently 
small error terms in the asymptotic formula (p^[). 

It is enough to count the elements of Co (ft) —Cd (ft— 1) , which 
are rational sections / of Ld of degree exactly ft. These are 
the functions whose divisors are of the form E + — E~ — D 
where E + , E~ are effective divisors of degree exactly ft with 
disjoint supports. Necessarily E + — E~ is linearly equivalent 
to D. Conversely, for each ordered pair (E + , E~) of degree-ft 
effective divisors with disjoint supports such that E + —E~ ~ 

D, there are q — 1 rational functions / whose divisor is E + — 
£T - D. Thus #(C D (ft) - C D (ft - 1)) is (q - 1) times the 
number of such ordered pairs (E + ,E~). Averaging over D 
in Jc lets us ignore the condition E + — E~ ~ D. 

Now it is easy to count pairs (D + ,D~) of effective divi- 
sors of degree n without the additional condition of disjoint 
supports: the count is M%, where M n is the number of ef- 
fective divisors of degree n. But each such pair (D + ,D~) 
is uniquely (E + E + ,E + E~) for some effective divisors 

E, E + ,E~ with the supports of E + ,E~ disjoint. Thus 



m; 



= ^M n ^ h A h , 



(17) 



where Ao = 1, and for h = 1, 2, 3, . . . we define 

A h := -±j#(Jc)(M(h,C)-M(h-l,C)), (18) 

which is the number of pairs (E + ,E~) of effective divisors 
of degree h and disjoint supports. The identity (jL7|) states 
that the sequence {M 2 } is the convolution of {M n } with 
{A h }. Thus 



£ Ah** = £ M*« n / ^ Af„z n = Z 2 (z) I Z 1 (z), (19) 

fc = n=0 / n=0 

where 



Z m (z) :=J2M™z r ' 



This leads us to study the functions Z\{z),Zi(z). 



(20) 



Now Z\{z) is closely related to the zeta function £o of C, 
defined by 



CcOO := £ M n q-" s 



(21) 



Indeed CcOO = Zi(g _s ). Define 

Lc(s):=(l~q- s )(l~q 1 - s )Cc(s). (22) 

It is known that Lc{s), the L-function of C, is a polynomial 
of degree 2g in g~ s , of the form 



It is further known that #(Jc) is given by the formula 

2g 

#(J c ) = q°L c (l) = ]l(l-\ j ) (29) 

3=1 

( "Dirichlet class number formula" for function fields) . Hence 

#(Jc) q - 1 M 2 ) 

so we have recovered ( |l£| ) averaged over Jc- Still, we need 
estimates on Ao + . . . + Ah for h < N/2, not as h — *• oo. 

To go further we use the distribution of the Xj on the circle 
A| 2 = q. Let ay £ R/27rZ be the argument of Xj: 



\ 1/2 ICKt 

Xj = q ' e 



(31) 



It is known that a family of curves C is asymptotically op- 
timal if and only if 



1 29 

— > e 3 
2g ^ 

^ 3=1 



1 ~ V / g g -|r|/2 



(32) 



for each nonzero integer r (see for instance "Remark 1" 
in Jlj). Thus if C is asymptotically optimal then for any 
continuous function (f> : H./2nZ — > C we have 



2y 



i~y]0(»j) ->«o + - y^ Y^Q r/2 (a r + a- r ), (33) 

25 3=1 ^ 



3=1 r=l 

where the a r are the Fourier coefficients of 



23 



M«)=n( i -^«"')> 

3=1 



(23) 



where the Xj, the "eigenvalues of Frobenius" for C, are g 
conjugate pairs of complex numbers, all of absolute value 
qi/2 (This is the "Riemann hypothesis" for Lc, here a 
celebrated theorem of Weil.) Hence 



(a)~ £ a^*™. (34) 

r= — oo 



Since log Lc(s) = Z)?Ii l°g(l ~ ^i? S ) and 



1 /-i 1/2 za\ \ 

log(l - zq ' e ) = - 2^ 



(35) 



29 

= - ***)/((! -^K 1 - • (24) 

3=1 

This yields the exact formula 

M n = — ^— L c (l) (8* - 9 s " 1 ) forn>2 5 -2. (25) 
9-1 

It follows that Zi{z) has a simple pole at z = g -2 with 
residue 



8-1 



Mi) 



(26) 



and no other singularities except for simple poles at z = g _1 
and z = 1. Thus (z)/Zi (z) has a simple pole at 2 = g~ 2 
with residue 



(iMl)) 2 



g + iL^i) 

(l-g- 2 )- 1 (l-g-i)- 1 Lc(2) q L c (2) 

and no other poles with \z\ < g -1 ^ 2 , whence 



(27) 



A^i+l^Sg^ + Oe^^) (28) 

q L c{2) 



as /i — > 00. 



for \z\ < q 1 , we calculate 
1 



= -(g 1/2 -l)log(l-g- s ) (36) 

for all s in (Re(s) > 1/2}, uniformly in any half-plane 
Re(s) > er with a > 1/2. In particular, since N/g — > g 1 ^ 2 — 1 
for our curves, we have 



1 , Mi) 

-rr log 



log 



1-8- 



log 



9 + 1 



N L c (2) 
as we claimed in (|l6|). 

We can now prove: 



Theorem 1. For p > de/me B(p) 6y 

B(p) := min r" p/2 - 3_ZZ 

9 -2^rs; 9 -3/ 2 ( 1 - g~ 1 ) ( 1 - gr) 



(37) 



Then 
A h = 



8+1 4(1) a . ^/„/2/i Ni v 



g L c( 2 ) ^ + l^)^ XP °( iV ) 



(38) 



(39) 



We have 



B(p) < g p (g + l)/(g-l) 



(40) 



for all p > 0, with strict inequality if p > 2q/(q 2 — 1). J/C is 
asymptotically optimal (i.e., ifC varies in a family of curves 
of genus g — > oo luiift iV ~ (g 1//2 — l)g rational points), and 
for each C we choose h with inf (h/N) > g/(g 2 — 1), then 
log M(h, C) is given asymptotically by (^j. 



Proof. We estimate the error in ( pq ) usin g c ontour in- 
tegration. By ( |l9| ) and the discussion around ( pr| ) we have 



_ £+1 Lg,(l) 2h J_ 
h 5 L c (2) q 2-Ki 



Z%(z) dz 



(41) 



for any r £ (q 2 , q 



-3/2-, 



(In fact we obtain (|4ll) for all r 6 



(g 2 ,g 1//2 ), but we shall soon need to assume r < q 3 / 2 .) 
On the circle \z\ = r we have 

log|Zi(z)| = -iVlog|l-2|+o(jV) (42) 

by (jjrt). We estimate \Zi{z) | by using another contour inte- 
gral to express Zi{z) in terms of Zi: 

Lemma 3. For all z 7^ g -1 with q~ 2 < \z\ < 1 we /iaue 



Z 2 (0) = 



2ni 



+ 2 



q-1 



Zx{vi)Zx 

,| = |z|l/2 

Lc(l)^(g«). 



2 > dio 



(43) 



Proof. Consider first z with < \z\ < q . For such z 
we obtain 

Z 2 (*) = -L/ Z lW ^(£)*£ (44) 

by integrating termwise the product of the absolutely con- 
vergent series (BOJ) for Zi(w) and Z\{z/w). For any z other 
than 0, g -2 , q~ , 1, the integrand extends to a meromorphic 
function on C with simple poles at w = z^z, 1/q, 1 and a 
multiple pole at w = 0. The contour in (ff4|) encloses the 
poles 0, z, qz but not the poles 1/q, 1. Thus analytic contin- 
uation gives 

z a (*) = -L / Zi h^(-)— (45) 

27TJ j W W 

for all z ^ {g~ 2 ,l}, for any contour that encloses 0. z. qz 
but not 1/q, 1. Now when g -2 < |z| < 1 the contour in ( [43] ) 
encloses 0, z, 1/q but not qz, 1. Thus we can evaluate the 
contour integral in (^) by starting from (^H|), adding the 
residue at 1/q, and subtracting the residue at qz. The for- 
mer residue is — (g 2 /(g — 1)) Lc(l)Z\{qz), and the latter is 
+ (g 2 /(g - 1)) L c {l)Zi(qz). This proves @. □ 



Thus @ is 

J_ i _J_ f V 

2m J {z{=r Z x {z) \q-l 



L c {l)Zx[qz) 



+ 



1 f „ / x „ / Z s \ dz , 

— * Zi (tu )Zi - — 46 



We use ( |3qj42| ) to estimate both parts of this. For the single 
integral, we find 

2g 2 Zx(qz)Lc(l) 



log 



q - 1 Zi(z) z h 
h log r + N log 



^ ~ h log r + N log 



(l-g-^l-gz] 
1 - r 



+ o(7V) 

+ o(iV). (47) 



(l-g-!)(l-gr) 

Thus the single integral is 0(B(2h/N) N exp o(JV)). We shall 
show that the double integral is exponentially smaller than 
B{2h/N) N ; this will prove (B9|). To estimate the integrand, 
let w' = z/w, so z = ww 1 ana 



log 



2g 2 Zi(to)Zi(w') 1 



3-1 
= — h log r + N log 



Zi(ww') z h 

(1 - tw)(l - it)') 



WW 1 



+ o(N). (48) 



Here \w\ = |io'| = r 1 ^ 2 , so 
(1 - io)(l - it;') 



+ 



,1/2 



(l-io) (1-W) 

rV2 



< 1 + 2- 



l_ r l/2 l_ r l/2' 

Thus our proof of (B3) will be complete once we show 



1 + r 



1/2 



(l-g- 1 )(l-gr) 1 - r 1 / 2 ' 

or equivalently 

(l-r^'Xl-rtl-rt 
and this follows from the observation that 

(1 - r 1/2 ) 2 - (1 - g- 1 )(l - gr) = g(r 1/2 - g' 1 ) 2 . 



(49) 



(50) 



(51) 



(52) 



It remains to prove ( flo] ) and to show that the "main term" 
in ( p9| ) is indeed exponentially larger than the "error term" 
as long as inf(2ft/iV) > 2g/(g 2 - 1). By (||), the main term 
is 



3 2 M^j) -MX-l.V),. 



(53) 



Thus strict inequality in the upper bound (0) is what we 
need to show that (|53j) exceeds the "error term". The ratio 
between B(p) and the claimed upper bound is 



- P 3-1 
3+1 



B(p) = 



mm 

g + 1 q-2< r <q-3/2 



( 9 V)-" /2 -^. (54) 
1 — qr 



Trying r = q we find that 
3 



3 + 1 



'+1 



(55) 



so the upper bound holds for all p. Moreover the bound is 
strict if r~ p/2 (l - r)/(l — qr) is a decreasing function of r 
at r = q~ 2 . We calculate that the logarithmic derivative of 



-p/2 



(1 — r)/(l — gr) at r = g is 



T ((3 -D|-3) 



(56) 



This is negative once p > 2q/(q 2 — 1), so Theorem [j] is 
proved. □□ 



2.4 The size of individual codes Co (h) 

We showed above that #(Cd(/i) — Cd(/i — 1)) is (q— 1) times 
the number of ordered pairs (E + ,E~) of effective de grce-/? 
divisors with disjoint supports such that E + — E~ ~ D. Call 
this number Ajj(.D), so that the total count Ah introduced 
in ( |f8| ) is J^DeJc Ah(D). We expect that Au(D) is approx- 
imated by Ah/#{Jc) if h is large enough. 

To prove this we use a known device from analytic number 
theory: for each character \ of the finite abelian group Jc, 
define 

Mx) ■■= E X(D)A H (D). (57) 

D£J C 

This is the sum of x(E + ~ E~) over all ordered pairs of 
effective divisors E + , E~ of degree h with disjoint supports. 
From the Ah(x) we can recover Ah(D) by the usual formula 

^ fl ) = |^)E^M. (58) 

When x is the trivial character (the character sending all 
of Jc to 1), the sum Ah(x) reduces to Ah', we expect that 
the other Ah(x) wm be smaller. As with Ah, we analyze the 
Ah(x) by comparing them with 

N n (x)-= E X(^ + -^"), (59) 

dcg(D + ) = dcg(ZJ-) = n 

the sum extending over all pairs of effective divisors D + , D~ , 
whether disjointly supported or not. Again, any such pair is 
uniquely (E + E+, E + E~) with E, E + ,E~ effective divisors 
such that E + ,E~ have disjoint supports; and necessarily 
X(E + — E~) = x{D + — D~). Thus we have a convolution 
formula 

n 

N n ( X )=Y l M n-hA h (x), (60) 
generalizing (filf). We deduce that 

oo 

Y,Mx)z h = Z 2 (z, X )/Z 1 (z), (61) 

h = 

with Zi(z) = Xl^o MnZ n as above and 

oo 

Z a (z,x):=X>„(x)* B . (62) 

n=0 

We can factor N n (x) by writing 

x(£^-D-)= x U? + )x(£r). (63) 

Since D ± are not in general divisors of degree zero, this 
requires that x be extended from Jc to the group Pic(C) 
of linear equivalence classes of divisors on C of arbitrary 
degree. For each x, choose an arbitrary extension of x to a 
homomorphism from Pic(C) to the unit circle. [For instance, 
fix a divisor D\ of degree 1, and let x{D\) be an arbitrary 
complex number of norm 1; any such choice of x(^i) yields 
a unique extension of x to Pic(C).] Then 

N n ( X ) = M n ( x )M n (x), (64) 

where M n (x) is the sum of the values of x on effective di- 
visors of degree n. [Changing x(Di) to /3x(Di), for some 



/3 e C of norm 1, multiplies M„( X ) and M n (x) by /3" and 
(5~ n respectively, and thus does not change their product.] 

For a nontrivial character x we have M n (x) = for all 
n > 2g — 2, because by Riemann-Roch each degree-n class 
in Pic(C) is represented the same number of times in the 
sum M„(x).| Thus 

L{s,x):=Y. M ^x)l~ nS (66) 

n 

is a finite sum. This sum, called the //-function associated 
to x, is again known to satisfy a Riemann hypothesis, which 
yields a factorization 

2g-2 2g-2 

E M n { X )z n = II^-MxK) (67) 

for some Xj (x) all of absolute value q 1 ^ 2 . Unlike the eigenval- 
ues of Frobenius Aj for C, the Xj (x) are of unknown distri- 
bution even for an asymptotically optimal C. Thus instead 
of asymptotic formulas for 

2 9 -2 

Zl(z,x) ■= E M "(x)z n (68) 

71 = 

we get only an upper bound: 

jZiMK (l + g 1/2 M) 29 ~ 2 (69) 

for all Z (E C. But an upper bound is all we need because 
|Zi(2,x)| contributes only to the error terms Ah(x), Ah(x)- 
Since Zi(z,x) is a polynomial, we need not worry about 
nonzero poles in the contour integral 

Z 2 (Z, X ) = ^-J Z 1 (w,x)Z,(-,x)— (70) 

for Zi(z, x), which holds for all z / 0. Therefore 

\Z 2 (z, X )\<(l + \f^\) 49 - 4 . (71) 

Using contour i nteg ration about a circle of radius r to isolate 
the z h term of (|6l|), we obtain 

\A h (x)\ < r~ h (l + V¥) 43 (l + r) N+o(N) (72) 

for any positive r < q~ x ^ 2 . Minimizing this over r, summing 
over the #(Jc) choices of x> and using our known estimates 
for Ah and Lc(l), we find: 

Theorem 2. For p > define B\{p) by 
B 1 (p)~^-q K min r - p/2 (l + r)(l + ^) 4k , (73) 
where re := l/(^/g— f). Then 

Ah ^ = #r]j^( Ah + { B ^) Nex P W)) ( 74 ) 

3 This already suffices to show that as h — + oo the formula 

Ah{D)= q -±l^n 2h ^+0M^ +t)h ) (65) 

holdi-not only on average over D (this average estimate 
is (B8[)) but also for each D. We thus recover Schanuel's 
theorem with a sharp error term. But again our present 
application requires estimates for h <C N , not h — > oo. 



for every degree-0 divisor D. There exists a unique pi 
Pi(q) > such that 



Si(pi) = ? Pli± 4; 

q - 1 



(75) 



Bi(p) < q p (q + l)/(q — 1) for all p > p 1 . If C is asymptoti- 
cally optimal, and for each C we choose h with inf(2ft/Af) > 
Pi, then log #(Co(ft)) is given asymptotically by 

#(C D (h)) = (i±±) q 2h - s . (76) 



3. PROBLEMS 

3.1 New problems in computational algebraic 
geometry 

A new construction of error-correcting codes automatically 
raises new decoding problems. When the codes come from 
algebraic curves, these problems can be stated in terms of 
the geometry of the curves. For example, for Co{h), the 
problem of nearest-neighbor decoding is a special case of 
the following problem: 



PROOF. Estimate (|74j) follows from ( psf ) and the bound 
( fr^ ) on each term with \ nontrivial, together with the facts 
g/N — ► k and 



#(Jc) = q s 



9 + 1 



iV+o(JV) 



(77) 



(see ( p9|j3q )). For the remainder term to be exponentially 
smaller we must have h/N > q/(q 2 — 1) (from Thm. [j]) and 



< 9 



2h/N 



9 + 1 



The ratio between the two sides is 



1 



min (q r ) 



-p/2 



(l + r)(l + ^) 4 



(78) 



(79) 



where again p = 2h/N. For all r < q~ 2 , the product @ 
exceeds (1 — q 1 )q K > 1. For r = <? _1//2 thenroduct clearly 
falls below 1 once p is large enough. Thus ([79) equals 1 for 
some pi, with the minimum attained at some r > q~ 2 ; since 
(q 2 r)~ p / 2 (l + r)(l + ^/qr) iK is a decreasing function of p for 
that r, the inequality (f78j) holds for all 2h/N > p 1 . It is not 
hard to check that pi > 2q/(q 2 — 1) — even the lower bound 
q K ^-q-i q /(i 2 ' 1 ) on @ suffices for this. The claim @ 
now follows from @ and Thm. |l|. □ 



The following short table lists pi rounded to four decimals 
for q = q 2 and <?o a prime power ^16: 



9 


2 2 


3 2 


4 2 


5 2 


7 2 


Pi 


4.3461 


1.8541 


1.1606 


0.8348 


0.5276 


9 


8 2 


9 2 


ll 2 


13 2 


16 2 


Pi 


0.4440 


0.3827 


0.2990 


0.2448 


0.1919 



Since the definition of Co (ft) requires 2h < N, we must have 
p < 1, so the threshold p x is too high for q = 4,9, 16. For 
these small q, we get information only about the average size 
Mh(C) of the codes Co (ft) with small 5. But it is only for 
q ^ 49 that any of the algebraic-geometry codes improve on 
Gilbert-Varshamov. For q = 49 it turns out that pi is larger 
than the maximal 2h/N for which Mh(C) attains or exceeds 
the Gilbert-Varshamov bound. For q ^ 64, we find that 
Pi is within the range of codes whose average size Mu(G) 
improves on Gilbert-Varshamov; thus in each case we have 
a subrange in which each individual code Co (ft) is known to 
be exponentially larger than the Gilbert-Varshamov bound. 
As q increases, p^(q) — > 0, so this subrange of 2h/N values 
covers almost all of (0, 1). 



Problem 1 . Given: an algebraic curve C of genus g over 
a field k; a list (Pi, . . . , Pjv) of k-rational points of C; an 
N-tuple (wi,... ,wn) m (P 1 (k)) N ; and integers h,e ^ 0. 
Find a rational function f of degree at most h onC such that 
f{Pi) = Wi for each i with at most e exceptions, assuming 
that at least one such f exists. 



Similarly for Cu(/i): 



Problem 1'. Given: an algebraic curve C of genus g over a 
field k; a divisor D of degree zero on C ; a list (Pi, . . . , Pjv) 
of k-rational points of C, and functions tp t whose divisor 
has the same order at Pi as D; an N-tuple (wi, . . . , wn) in 
(P 1 (k)) , and integers h, e ^ 0. Find a rational section f 
of D of degree at most h on C such that (ip i f)(Pi) — Wi for 
each i with at most e exceptions, assuming that at least one 
such f exists. 



By Prop. ^, if 2(h + e) < N then / is uniquely determined; 
if 2(h + e) equals or exceeds N, but not by too much, one 
might still hope that there are few enough spurious / that 
"list decoding" (that is, finding all possible /, not just one) 
may be feasible as in IlOl uM . 



The special case e = of Problem 1 or 1' is the error de- 
tection or recognition problem: is a given word in the code! 
For a Goppa code, the recognition problem is readily solved 
in time polynomial in the length of the code: the code is 
linear, so recognition reduces to linear algebra. But the new 
codes Co(h) are nonlinear, and an efficient error-detection 
algorithm is not obvious. 

Another, possibly even more fundamental, difficulty is enu- 
merating Co (ft). To use Cij(ft) in any error-correcting ap- 
plication other than the highly unlikely application of trans- 
mitting the values of a low-degree rational section of D, one 
must have an efficient means of generating the m-th code- 
word as a function of m, and of inverting this function to 
recover the integer m transmitted. For a linear code with a 
known basis, enumeration is no harder than recognition, but 
again the problem seems nontrivial for our nonlinear codes 
Co (ft). It is not necessary to enumerate every codeword: if 
M < #(Cu(ft)), an efficiently computable and invertible in- 
jection from [M] := {1, . . . , M} to Cc(ft) would still let us 
use an M-word subcode of Cn(h) for error-resistant com- 
munication. But M must not be so much smaller than 
#(Cu(ft)) as to reduce the asymptotic transmission rate. 
Thus we ask: 



Problem 2. Find M — ^(Coih)) 1 ^"^ and an injection 
i : [M] •— * Co (ft) such that both i and the inverse function 
i -1 : t([M]) — * [M] are efficiently computable. 



3.2 Solutions for C of genus zero 

We show that both Problems 1 and 2 have polynomial-time 
solutions when C has genus zero. (In that case, all degree- 
zero divisors are linearly equivalent, so Problems 1 and 1' 
are equivalent.) This does not directly address the issue 
of using Cd(/i) for error-resistant communications, because 
that application requires curves of large genus; the most di- 
rect generalization of our solution to arbitrary C requires 
exhaustion over Jc and thus takes time exponential in the 
genus. Nevertheless we have hope that our solutions can be 
adapted to the large-genus case, especially for Problems 1 
and 1'. This is because we solve Problem 1 in genus zero 
by adapting a known algorithm for decoding Reed- Solomon 
codes. Goppa codes are large-genus generalizations of Reed- 
Solomon codes, and can be decoded efficiently Ju], [3. It 
may be possible to combine ideas from these decoding al- 
gorithms and our genus-zero solution of Problem 1 to solve 
that Problem in general. 

In the genus- zero case, all Co(h) with the same q, h are iso- 
morphic. Thus we may and shall assume D — 0, and call the 
codes simply "C(/i)", suppressing the subscript. This C(h) 
consists of rational functions in one variable x, evaluated 
at x = Pi (one of which may be oo). A rational function 
/(■) of degree ft is a quotient a(x)/b{x) of relatively prime 
polynomials a, b in x of degree ^ h: 



3=0 



(80) 



3=0 



with the leading coefficients an,bh not both zero. A con- 
dition f(Pi) — Wi is a homogeneous linear equation in the 
2h + 2 coefficients Oj , bj . (If Wi = oo the equation becomes 
b(Pi) = 0; if Pi = oo the equation is ah = Wibh if u>i is finite, 
bh = if Wi = oo.Q) Thus the recognition problem amounts 
to solving the N simultaneous linear equations coming from 
f(Pi) = Wi, which we can do in time polynomial in N. We 
claim that every nonzero solution is proportional to (a,-, bj) 
and thus recovers the function f = a/b, as long as 2h < N 
— exactly the condition we imposed on h when we defined of 
C(h). Indeed, suppose (a'j,b'j) is another solution, yielding 
another rational function /' = a' /&' . Then the polynomial 
A := a'b — ab' , of degree at most 2h, vanishes at all finite 
Pi, and its x 2h coefficient vanishes if some Pi — oo. Thus A 
is identically zero, and / = /' as claimed. If / is of degree 
< h, the same argument shows that the linear equations on 
aj , bj will have a solution space of dimension h — deg(f) + 1, 
and any nonzero solution vector recovers / as a/b. We have 
thus solved the genus- zero case of Problem 1 for e = and 
2h < N. 

The same system of simultaneous linear equations with h 
replaced by h + e also solves the genus-zero case of Prob- 
lem 1 for any e such that 2(h + e) < N — that is, for all 

4 As usual the special cases Pi = oo, Wi = oo that appear 
here and later can be avoided by using homogeneous coordi- 
nates on P 1 and regarding / as the quotient of two degcee-h 
homogeneous polynomials in two variables. 



e less than half the designed distance N — 2h of the code. 
To see this, suppose / = a/b differs from the word w in at 
most e coordinates, and let c(x) be an "error-locating poly- 
nomial": a polynomial of degree at most e that vanishes 
at each finite Pi where f(Pi) 7^ Wi. (If one of the errors 
is at Pi = 00 then c(x) has degree at most e — 1.) Then 
the coefficients of the polynomials ac and be satisfy the lin- 
ear equations on the coefficients of polynomials of degree 
h + e whose quotient agrees with w at all Pi. Any solu- 
tion (a'j, bj) of these equations yields polynomials a! , b' such 
that A := c(a'b — ab'), which now is a polynomial of degree 
^ 2(h + e), vanishes at all finite Pi and has vanishing x 2< - h+e ^ 
coefficient if some Pi — 00. Again it follows that A = iden- 
tically and / = a'/b'. Thus as claimed we can decode the 
codes C(h) associated to C = P 1 up to the error-correcting 



bound |(JV - 1) 



h. 



In the genus-zero case the enumeration problem also has 
a polynomial-time solution, even without relaxing it to a 
large subset of C(h) as in Problem 2. When C = P 1 , the 
L- function of C is the constant 1, so we know Z\ exactly, 
and thus also Z2 and Ah- We calculate: 



Z 1 (z) = 



n+l 



{l-z){l-qzY 



M n = 



- 1 



(81) 



Z 2 (z) 



l + qz 



(1-Z)(1- 9 2)(1- 



Zi{z) 



qz 



whence A h 



q 2h + q 2h- 



for h > 0. Since Ao — 1, 



#(C(ft)) = l + . 



■5> 



2h + l 



(82) 



(83) 



(so the asymptotic formula (^) is exact herelQ) We next 
construct a bijection 1 from C(h) to a finite field k' contain- 
ing k with degree 2h + 1. Since k' is readily enumerated 
(choose a basis for k' as a vector space over its prime field), 
our bijection will yield a complete enumeration of C(h). To 
construct 1, fix xo G k that generates k' over k, and de- 
fine (,(/) = ,f(xo) for all / 6 C(h). Note that f{xo) cannot 
be 00, because the denominator of / has degree at most 
h < [k 1 : k], and thus cannot vanish at xq. Moreover, l is an 
injection: if fx,f% are distinct rational functions of degree 
at most h we cannot have fi(xo) = f2(xo), because then 
xo would be a root of a polynomial of degree at most 2h, 
and thus could not generate the field extension k' /k. Since 
#(fe') = #(C(/i)) it follows that l is a bijection. To invert 1, 
we must express any x\ £ k' as a(xo) /b(xo) for some polyno- 
mials a, b of degrees ^ h. This, too, can be done by solving 
2h + l simultaneous linear equations, and thus in time poly- 
nomial in q. For instance, find the intersection of the two 
fc-vector subspaces 



and 



{a(xo) : a € k[X], deg(a) ^ h} 



{xib(x ) ■ b G k[X], deg(fe) < h}, 



(84) 



(85) 



This resuli_ but not the simpler proof we give next, already 
occurs in ||12|, as a special case of a formula for #(Co(h) 
depending only on the zeta function of C in the case that C 
is hyperelliptic. 



of dimension h + 1 in k' . Note that the intersection has 
dimension at least 2(h + l) — (2h + 1) = 1, and thus contains 
a nonzero vector. This proves directly that the injection i 
is onto, and thus also completes an alternative proof of the 
formula (p3|). 

Remark: The algorithms in these section are polynomial- 
time but far from optimal. The simultaneous linear equa- 
tions that arise are of a special form that can be solved much 
more quickly by other methods such as fast gcd's in k[X]. 

3.3 Theoretical problems 

Our results also suggest at least three theoretical problems. 
When q ^ 7 2 , it is known that Goppa's code can be modi- 
fied to improve on both Gilbert-Varshamov and (Q) near the 
crossover points between these two lower bounds. 



Problem 3. Does our construction ofCo{h) admit similar 
improvements near the crossover points between ( jl^ ) and 
the Gilbert-Varshamov bound for codes over an alphabet of 
q + 1 letters? 

A second problem is whether the thresholds 2q/ (q 2 — 1) and 
Ptiq) of Thms. | and Thm. | are best possible: 

Problem 4. Can the bounds 2q/(q 2 — 1) and pi(q) be re- 
duced? In particular, can any of Pi(4), pi(9), Pi(16) be 
replaced by a threshold < 1 ? 



If Pi(4) can be pushed below 1 then (g|) will yield a deter- 
ministic construction of arbitrarily long algebraic-geometry 
codes over a five-letter alphabet with R, 5 both bounded 
away from zero. Note that by (Q) Goppa codes do not do 
this when q = 4. For a five-letter alphabet, Thm. |l| proves 
the existence of such codes, but does not let us specify one 
in time polynomial in N, because of the averaging over Jc- 
We may thus ask: 



Problem 5. Is it possible to compute, in polynomial or 
random polynomial time, a choice of D that makes Cn(h) 
at least as large as average, and thus with R, 8 both provably 
bounded away from zero ? 

Finally, a more speculative kind of problem concerns our ear- 
lier observation that degrading Co{h) to a q- letter alphabet 
yields nonlinear codes with exactly the same R, S as Goppa 
codes. Is this more than a coincidence? That is, 



Problem 6. Give a conceptual explanation for the factor 
[(q + l)/q) N in (j^j, and for the fact that it exactly cancels 
the degradation factor (q/(q + 1)) N ■ 
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